Warn legacy browsers that do not support Content Security Policy (#29957)

* csp: warn legacy browsers that do not support CSP

The new csp.warnLegacyBrowsers configuration is enabled by default, and
it shows a warning message to any legacy browser when they access Kibana
to indicate that they are not enforcing the basic security protections
of the current install.

The protections check is the same as csp.strict, so this feature is
designed to be used as an alternative to aid in BWC. When csp.strict is
enabled, warnLegacyBrowsers is effectively ignored.

* fix ChromeService tests

* more test fixes

* csp injectvars in legacy test bundle

* update warning text and make it translatable

* no need to warn in legacy browser unit tests

* tests for chrome legacy browser warning

* document legacy browser warning breaking change

* update csp warning toast message

* add period, remove dev code

docs/migration/migrate_7_0.asciidoc

@@ -197,3 +197,12 @@ dependent on an unspecified port set to 9200, `:9200` will have to be appended t
 
 *Impact:* Users with `elasticsearch.ssl.verify` set should use `elasticsearch.ssl.verificationMode` instead.
 Previously set `elasticsearch.ssl.verify` is equal to `elasticsearch.ssl.verificationMode: full`.
+
+[float]
+=== Legacy browsers (namely IE11) will see a security warning message whenever they load Kibana
+*Details:* Kibana now has a Content Security Policy, but it's only effective if browsers enforce it, and since older
+browsers like Internet Explorer 11 do not support CSP, we show them a warning message whenever they load Kibana.
+
+*Impact:* Nothing needs to be done necessarily, but if you don't need to support legacy browsers like IE11, we recommend
+that you set `csp.strict: true` in your kibana.yml to block access to those browsers entirely. If your organization requires
+users to use IE11, you might like to disable the warning entirely with `csp.warnLegacyBrowsers: false` in your kibana.yml.